Hello
I have a few files/directories in /run (or /var/run) that do not have the
correct selinux contexts. Notably, files belonging to samba and fail2ban,
but there may be others.
I thought this might be related to the /run migration bug (424173) but
it seems to restore to the correct contexts, just that the files are not
created with the correct contexts. How are the contexts of these files
usually managed?
#output from matchpathcon:
/run/dbus.pid has context system_u:object_r:system_dbusd_var_run_t, should be <<none>>
/run/fail2ban has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:fail2ban_var_run_t
/run/lvm has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:var_run_t
/run/ntpd.pid has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:ntpd_var_run_t
/run/privoxy-tor.pid has context system_u:object_r:privoxy_var_run_t, should be <<none>>
/run/samba has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:smbd_var_run_t
/run/saslauthd has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:var_run_t
/run/sepermit has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:pam_var_run_t
/run/sshd.pid has context system_u:object_r:sshd_var_run_t, should be <<none>>
/run/syslog-ng.ctl has context system_u:object_r:devlog_t, should be system_u:object_r:syslogd_var_run_t
#output from restorcon -rv /run
restorecon: Warning no default label for /run/sshd.pid
restorecon: Warning no default label for /run/privoxy-tor.pid
restorecon reset /run/ntpd.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:ntpd_var_run_t
restorecon reset /run/fail2ban context system_u:object_r:initrc_var_run_t->system_u:object_r:fail2ban_var_run_t
restorecon reset /run/fail2ban/fail2ban.sock context system_u:object_r:initrc_var_run_t->system_u:object_r:fail2ban_var_run_t
restorecon reset /run/fail2ban/fail2ban.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:fail2ban_var_run_t
restorecon reset /run/syslog-ng.ctl context system_u:object_r:devlog_t->system_u:object_r:syslogd_var_run_t
restorecon: Warning no default label for /run/dbus.pid
restorecon reset /run/sepermit context system_u:object_r:initrc_var_run_t->system_u:object_r:pam_var_run_t
restorecon reset /run/samba context system_u:object_r:initrc_var_run_t->system_u:object_r:smbd_var_run_t
restorecon reset /run/samba/nmbd.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:nmbd_var_run_t
restorecon reset /run/samba/smbd.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:smbd_var_run_t
restorecon reset /run/lvm context system_u:object_r:initrc_var_run_t->system_u:object_r:var_run_t
restorecon reset /run/saslauthd context system_u:object_r:initrc_var_run_t->system_u:object_r:var_run_t
restorecon reset /run/lock/lvm context system_u:object_r:var_lock_t->system_u:object_r:lvm_lock_t
#from the mount command:
tmpfs on /run type tmpfs (rw,rootcontext=system_u:object_r:var_run_t,seclabel,nosuid,nodev,relatime,mode=755)
Thanks
--
Ben Pritchard
ben@bennyp.org
I have a few files/directories in /run (or /var/run) that do not have the
correct selinux contexts. Notably, files belonging to samba and fail2ban,
but there may be others.
I thought this might be related to the /run migration bug (424173) but
it seems to restore to the correct contexts, just that the files are not
created with the correct contexts. How are the contexts of these files
usually managed?
#output from matchpathcon:
/run/dbus.pid has context system_u:object_r:system_dbusd_var_run_t, should be <<none>>
/run/fail2ban has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:fail2ban_var_run_t
/run/lvm has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:var_run_t
/run/ntpd.pid has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:ntpd_var_run_t
/run/privoxy-tor.pid has context system_u:object_r:privoxy_var_run_t, should be <<none>>
/run/samba has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:smbd_var_run_t
/run/saslauthd has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:var_run_t
/run/sepermit has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:pam_var_run_t
/run/sshd.pid has context system_u:object_r:sshd_var_run_t, should be <<none>>
/run/syslog-ng.ctl has context system_u:object_r:devlog_t, should be system_u:object_r:syslogd_var_run_t
#output from restorcon -rv /run
restorecon: Warning no default label for /run/sshd.pid
restorecon: Warning no default label for /run/privoxy-tor.pid
restorecon reset /run/ntpd.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:ntpd_var_run_t
restorecon reset /run/fail2ban context system_u:object_r:initrc_var_run_t->system_u:object_r:fail2ban_var_run_t
restorecon reset /run/fail2ban/fail2ban.sock context system_u:object_r:initrc_var_run_t->system_u:object_r:fail2ban_var_run_t
restorecon reset /run/fail2ban/fail2ban.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:fail2ban_var_run_t
restorecon reset /run/syslog-ng.ctl context system_u:object_r:devlog_t->system_u:object_r:syslogd_var_run_t
restorecon: Warning no default label for /run/dbus.pid
restorecon reset /run/sepermit context system_u:object_r:initrc_var_run_t->system_u:object_r:pam_var_run_t
restorecon reset /run/samba context system_u:object_r:initrc_var_run_t->system_u:object_r:smbd_var_run_t
restorecon reset /run/samba/nmbd.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:nmbd_var_run_t
restorecon reset /run/samba/smbd.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:smbd_var_run_t
restorecon reset /run/lvm context system_u:object_r:initrc_var_run_t->system_u:object_r:var_run_t
restorecon reset /run/saslauthd context system_u:object_r:initrc_var_run_t->system_u:object_r:var_run_t
restorecon reset /run/lock/lvm context system_u:object_r:var_lock_t->system_u:object_r:lvm_lock_t
#from the mount command:
tmpfs on /run type tmpfs (rw,rootcontext=system_u:object_r:var_run_t,seclabel,nosuid,nodev,relatime,mode=755)
Thanks
--
Ben Pritchard
ben@bennyp.org